Delta Airlines has patched a bug that passengers could have used to view other people’s boarding passes.
Paul Skrbec, a spokesman for the airline company, made the following comments about the incident: “Security is a top priority for Delta, and we employ multiple levels of it throughout the travel process. After a possible issue with our mobile boarding passes was discovered late Monday, our IT teams quickly put a solution in place this morning to prevent it from occurring.”
Dani Grant, the founder of Hackers of NY, first discovered the bug earlier this week. In a blog post, she shared a screenshot of the two different boarding passes, which she received by simply changing one digit in the URL of the original boarding pass.
That’s not to say that the method worked every time. Staff members at Gizmodo tried to replicate the process, but it did not work. As Grant explains, “It’s luck of the numbers. Not every URL string corresponded to a valid boarding pass—if you kept changing digits, you’d find one.”
Additionally, it is likely the case that boarding pass URLs eventually expire, which would have rendered the bug useless after a certain period of time.
But within that window of opportunity, social engineers and online scammers could have feasibly exploited the vulnerability and used passengers’ boarding passes to try and phish for other information.
This type of vulnerability is far from new. Earlier this month, a security researcher discovered a flaw in the Chinese e-commerce megabrand Alibaba in which users could alter a URL and gain access to another user’s ID.
Also, back in April, the U.S. Court of Appeals for the Third Circuit overturned the conviction against Andrew Auernheimer, who had guessed or brute force attacked different SIM card identifiers to gain access to strangers’ iPads.
According to Delta Airlines, Grant’s vulnerability never affected the flight safety of any of its passengers or flight personnel.